This article is for any person interested in learning more about privacy and the Certified Information Privacy Professional US (CIPP/US) certification. If you want to get started in privacy, are deciding to pursue the CIPP/US, or are in the throes of studying, this guide is for you.
This guide assumes you have no knowledge about the CIPP/US, the certification process, the requirements to maintain your CIPP/US, or the knowledge required to pass the exam. Following this guide will provide you with a holistic overview and study plan to obtain your CIPP/US.
Before getting started, please be aware there is a considerable amount of content here. I encourage you to bookmark this page and skip around to the particular sections which are relevant to you. Different sections may be applicable based on where you are at in your certification journey.
If you have feedback on the blog, wish there was a particular section or other advice you would like me to incorporate, then drop me a line. If this guide was useful to you I'd love to hear about it!
What is the CIPP/US?
The CIPP/US is perhaps the most prolific privacy certification available today. It's offered by the International Association of Privacy Professionals (IAPP), a not-for-profit that helps define, promote, and improve the privacy profession globally. There are currently four active CIPP concentrations including one for the United States (CIPP/US), Asia (CIPP/A), Canada (CIPP/C), and Europe (CIPP/E).
Obtaining any of the CIPP certifications demonstrates a foundational understanding of the privacy laws, regulations, and enforcement in a given region. Specifically for the CIPP/US, you can expect to learn about US laws and regulations affecting several industries including healthcare, finance, education, telecommunications, and more.
You may consider many factors when deciding to pursue the CIPP/US. You may intend to break into the privacy field, expand your knowledge of US privacy laws as an engineer or software developer, or demonstrate as a lawyer that you are specialized in US privacy law. Whatever your motivations and background may be, this guide equips you with the necessary skills and background to be successful in your pursuit.
What Will You Learn?
Before diving into how to prepare for the CIPP/US, we first introduce what you can expect to learn from it—that's the goal after all, right?
For an exhaustive list of the topics covered in the CIPP/US, you should refer to the CIPP/US Body of Knowledge. However, the high-level modules you can expect to learn are listed below.
- Introduction to the US Privacy Environment
- Limits on Private-Sector Collection and Use of Data
- Government and Court Access to Private-Sector Information
- Workplace Privacy
- State Privacy Laws
Most of the testable content of the CIPP/US is concentrated in the first two modules. These modules introduce core concepts to US law, as well as sector-specific and cross-sector legislation, regulation, and enforcement. The other three modules are critical, but less weight is placed on them overall.
For an in-depth look at each of these modules and their corresponding topics, skip ahead to Mapping the Official Textbook.
Studying for any certification can be daunting. The material may be new and unfamiliar or it may be difficult to grok what is relevant to the exam. The following sections break down how long you should study for and what your study options are.
How Long Should You Study For?
The IAPP recommends that you study for a minimum of 30 hours—based on anecdata, this seems about right.
For reference, I spent ~40-50 hours across 16 weeks preparing for the CIPP/US certification exam. I did so as part of the Privacy for Professionals course at Georgia Tech as part of my M.S., in Cybersecurity.
You do not necessarily have to invest this level of time and energy. This may vary greatly based on your experience and familiarity with US privacy law. There is also a decent amount of wiggle room when it comes to achieving a passing score.
In short, 30-40 hours seems about right for most people. If it's important to do particularly well on the exam e.g., 90%+ you may want to invest some additional time.
Official Study Tools
For any certification, there is often a plethora of study resources and the CIPP/US is no different. Like many certifications, there is a mix of official and unofficial study tools to help you prepare for the certification exam. The official IAPP resources you may consider include:
- Official Textbook (Paid)
- Body of Knowledge (Free)
- Exam Blueprint (Free)
- Glossary of CIPP/US Terms (Free)
- Sample Exam Questions (Paid)
- Online and In-Person Training (Paid)
This is a substantial list so let's break it down.
The resource that will be paramount to your success is the U.S. Private-Sector Privacy: Law and Practice for Information Privacy Professionals. This book can be bought for $65 (IAPP Members) or $75 (Non-Members), or bought used from other marketplaces. The official textbook clearly outlines the information you'll need to pass the CIPP/US certification exam. This is a must-buy.
Body of Knowledge & Exam Blueprint
To use the official textbook effectively, it should be paired with both the CIPP/US Body of Knowledge and the CIPP/US Exam Blueprint. The Body of Knowledge provides a detailed breakdown of the information tested on the CIPP/US certification exam. Meanwhile, the Exam Blueprint details how many exam questions you can expect on a given topic—this allows you to target your time on topics that are heavily tested. We provide a high-level mapping of these three resources in Mapping the Official Textbook.
Glossary of CIPP/US Terms
As a complement to the official textbook, I recommend utilizing the IAPP Glossary of CIPP/US Terms. While some terms provide a varying level of detail, it's useful to ensure you're familiar with the high-level concepts and definitions—of which there are many.
Sample Exam Questions
You may also consider purchasing the IAPP Sample Exam Questions for $25 (IAPP Members) or $35 (Non-Members). This resource is reasonably priced and provides access to 30 example questions. These questions serve as a loose primer of the questions you can expect on the CIPP/US certification exam. However, based on various anecdata, these questions may be easier than the questions on the exam. If you're on the fence, I'd recommend snagging these.
Online and In-Person Training
Finally, the IAPP and various approved partners offer online and in-person training. The cost of this training is substantial ($1,195—$2,100). However, this may be a good fit for you if you have limited time to self-study or if a company is reimbursing the cost of attendance.
These trainings often include a copy of the official textbook, the IAPP sample exam questions, and sometimes a year of IAPP membership. However, the IAPP does not advertise these courses strictly as a "test prep" course. Additionally, anecdata suggests these trainings may not go into sufficient depth to effectively prepare you for the exam on their own.
Unofficial Study Tools
In addition to the official study tools mentioned above, there are many third-party resources (free and paid) that you may consider leveraging. These may include textbook outlines, example exam questions, online training, flashcards, and more.
Because we have not verified the quality of particular resources, we will not be linking to any external resources in this article. However, these should be relatively easy to find using your preferred search engine and may be useful.
Mapping the Official Textbook
In this section, we combine three of the resources that are critical to succeeding on the CIPP/US certification—the official textbook, body of knowledge, and exam blueprint. Behind the scenes, we've produced a detailed mapping between these resources and distilled this into a simplified view.
Each of the following sections represents one of five major modules present in the Body of Knowledge and Exam Blueprint. The Exam Blueprint defines a minimum and a maximum number of questions that may appear on the CIPP/US certification exam from each of these modules and their related topics.
Introduction to the US Privacy Environment
Throughout your time as a professional, or in your day-to-day experiences, you may have heard of various US privacy laws. You may have seen arguments on Twitter about HIPAA, FERPA, COPPA, etc. However, before understanding what these acronyms are, what they mean, and who they apply to, you first need a big-picture understanding of US law—this is provided in Module 1: Introduction to the US Privacy Environment.
Within Module 1 you will learn about the US legal system, sources of law, key definitions, regulatory authorities, state vs. federal enforcement, and more. You will learn about developing a privacy program, effectively managing user preferences, online privacy, privacy notices, and international data transfers.
This module is responsible for a substantial amount of the 90 questions on the CIPP/US certification exam. At a minimum, 27 questions will be pulled from the below topics, up to a maximum of 35 questions. These questions may be based on the following topics:
|Topics||Min Questions||Max Questions||Chapter(s)|
|Structure of US Law||4||6||2, 3|
|Enforcement of US Privacy and Security Laws||5||7||2, 3|
|Information Management from a US Perspective||18||22||1, 4, 5, 14|
Limits on Private-Sector Collection and Use of Data
After establishing this baseline understanding of US law, we can turn our attention to sector-specific laws and regulations in Module 2: Limits on Private-Sector Collection and Use of Data. This module introduces laws relating to healthcare, finance, education, and telecommunications and marketing. For any given sector you'll be required to understand several laws and regulations and how they interact with one another.
This module is responsible for between 15 and 25 questions on the CIPP/US certification exam and covers the following topics:
|Topics||Min Questions||Max Questions||Chapter(s)|
|Cross-Sector FTC Privacy Protection||5||7||3, 4, 5|
|Telecommunications and Marketing||1||3||11|
Government and Court Access to Private-Sector Information
In addition to the private sector, there are specific laws that require, permit, or restrict the ability of governments and courts to gain access to data. In Module 3: Government and Court Access to Private-Sector Information you will learn about the US government's ability to require wiretaps or pen registers, access stored records and emails, issue national security letters, and more.
At this point, you may have noticed a sizable amount of questions are already accounted for. That is, there is a maximum of 60 questions that may come solely from Module 1 and Module 2. The following sections make up a significantly smaller proportion of the CIPP/US certification but should not be underestimated.
Within the Government and Court Access to Private-Sector Information module, you may see between 3 and 7 total questions. These are spread between topics such as Law Enforcement, National Security, and Civil Litigation as shown below:
|Topics||Min Questions||Max Questions||Chapter(s)|
|Law Enforcement and Privacy||1||3||9, 13|
|National Security and Privacy||1||2||13|
|Civil Litigation and Privacy||1||2||13|
Fourth, but not least, in Module 4: Workplace Privacy you're expected to understand how various regulatory bodies govern workplace privacy and their specific responsibilities. There are several laws that protect employees' privacy before, during, and after employment from discrimination, monitoring, and more.
A slightly bigger module than Government and Court Access to Private-Sector Information, the Workplace Privacy module accounts for between 5 and 9 questions on the CIPP/US certification exam. Workplace privacy topics and their related mappings to the official textbook can be found below:
|Topics||Min Questions||Max Questions||Chapter(s)|
|Overview of Workplace Privacy||2||4||8, 12|
|Privacy Before, During, and After Employment||3||5||12|
State Privacy Laws
Finally, we close out the knowledge required for the CIPP/US in Module 5: State Privacy Laws. This module largely focuses on two main categories of privacy law: 1) data privacy and security laws and 2) data breach notification laws. You'll be expected to know details of state laws like the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA). You will learn what personal information is, what constitutes a data breach, when companies must notify consumers, and the rights of data subjects.
Before September 2021, this module was responsible for a very limited number of questions (between 5 and 7) on the CIPP/US Certification exam. However, with the introduction of important state privacy laws like the CCPA and VCDPA, the IAPP has necessarily bolstered this section to include between 9 and 15 questions!
This change makes the State Privacy Laws module the third-largest for the exam.
|Topics||Min Questions||Max Questions||Chapter(s)|
|Federal vs. State Authority||1||3||2, 7|
|Data Privacy and Security Laws||6||8||5, 6, 7|
|Data Breach Notification Laws||2||4||7|
Now that you're equipped with a high-level idea of the knowledge required, we can talk about the certification exam itself. If you've taken other certification exams, the CIPP/US follows a familiar format.
The CIPP/US certification exam is a 2.5-hour exam with 90 multiple-choice questions of which 75 are scored. In other words, there are 15 questions present on the CIPP/US certification exam that does not contribute to your overall score.
Each question has one correct answer and three distractors. Some questions are scenario-based, where you are asked to apply your knowledge to a hypothetical situation.
There is no publicly available information related to the exact score required to pass the CIPP/US exam. However, "passing scores range between about 65 and 80 percent correct."
Registering for the Exam
To register for the CIPP/US certification exam you must purchase it from IAPP. For first-time takers, the cost comes in at $550. However, if you maintain another IAPP certification or if you're attempting the CIPP/US for the second time the cost is reduced to $375.
In addition to the exam cost, you must pay a Certification Maintenance Fee or become an IAPP Member after passing the exam. If you become an IAPP Member the Certification Maintenance Fee is waived, and you get access to various IAPP resources. I recommend referencing the options below to determine the option best fit for your situation:
|Certification Maintenance Fee||$250||2 Years|
|IAPP Membership (Professional)||$275||1 Year|
|IAPP Membership (Higher Education)||$100||1 Year|
|IAPP Membership (Not-For-Profit)||$100||1 Year|
|IAPP Membership (Government)||$100||1 Year|
|IAPP Membership (Retired)||$100||1 Year|
|IAPP Membership (Student)||$50||1 Year|
Studying for the Exam
Now that you have an idea of the study tools and materials available to you, we can move on to studying for the CIPP/US Certification Exam. Before we jump in, it's worthwhile to note that the CIPP/US covers a significant breadth and depth of knowledge—keep this in mind while studying.
My recommend path to success for the CIPP/US is:
- Take the sample exam.
- Read the book.
- Create an outline.
- Study the glossary terms.
- Review knowledge gaps.
Take the Sample Exam
Before diving into the U.S. Private-Sector Privacy: Law and Practice for Information Privacy Professionals, I recommend you review the IAPP Sample Exam Questions. No worries if you decided not to purchase them, you can skip this and proceed to the next step: Read the Book.
Reviewing these sample exam questions is useful for framing your first read of the official textbook. It helps you understand the type of question, as well as the type of information you should keep an eye out for. The most important part of studying for the CIPP/US is understanding what to study. There is simply too much material for most people to memorize and a level of minutiae that is difficult to keep straight.
Read the Book
The next step in studying is to read the book. If you only rely on one resource to study for the CIPP/US Certification Exam it should be the official textbook. The topics in the text map nearly verbatim to those in the Body of Knowledge and the Exam Blueprint. If you're looking for a high-level overview of where you may want to focus your attention, refer to Mapping the Official Textbook.
You will need to know the content from every single chapter in the textbook aside from Chapter 15: Emerging Issues. You should plan to read every chapter at least once and may find yourself reviewing them multiple times. When reading, keep an eye out for details that look relevant, based on your experience with the sample exam questions. Do certain laws preempt other laws? Who does the law apply to? What are the consequences of failing to adhere to the law? How do laws like FERPA and HIPAA interact with one another and when?
The IAPP Privacy Certification Candidate Handbook states that questions on the exam may be related to scenarios. These are hypothetical situations where you may be asked to decipher whether a particular law may apply. As you're reading, try to think about how you may encounter a particular law in your day-to-day life e.g., the HIPAA requirements when you go to a doctor's office.
It may be worthwhile breezing through the book once, before stopping to take copious notes. This will allow you to get a bigger picture understanding of the type of material that you'll be expected to learn for the CIPP/US Certification Exam. On your second pass, you may want to create an outline.
Create an Outline
The CIPP/US Certification Exam lends itself particularly well to creating an outline. If you come from a legal background this process may be second nature to you. However, for others, the concept of an outline may be unfamiliar.
Usually, a good outline starts with a syllabus. The "syllabus" for the CIPP/US is the Body of Knowledge—I'd start here.
While outlines may not come naturally to you, this may be an invaluable study resource that you create. While you can find CIPP/US outlines online, oftentimes some of the best ones are written by yourself. These outlines help prevent you from reading the entire textbook multiple times and instead allow you to focus on the exact content that matters.
As part of this outline, I would recommend creating a table for each of the laws covered in the textbook. You will want to keep track of key elements like:
- Who is covered by this law?
- What types of information are covered?
- What is required, permitted, or prohibited?
- Who enforces the law?
- What happens under noncompliance?
Study the Glossary Terms
To supplement Reading the Book and Creating an Outline, I recommend reviewing the IAPP Glossary of CIPP/US Terms. This should help solidify your understanding of key terms, as well as augment your outline with reliable definitions.
However, it's important to note that just because this glossary is provided by IAPP, it does not mean the terms have perfect or complete definitions. I encourage you to double-check these terms and build your own understanding of them while using the glossary as a guide and reference point.
Review Knowledge Gaps
Do a final double-check that you are aware of and have a solid understanding of the topics in the Body of Knowledge. If you're unsure of a particular law e.g., CCPA or GDPR, spend a bit more time understanding the nuances of the law—you'll thank yourself later.
Because of the amount of content you're expected to know, it's easy to mix up and confuse certain laws. If a law was amended, be sure to know what was introduced and changed with the new amendment. It's important to keep these differences straight when studying. Look for the details and nuances of a law that you may have missed on your first pass.
You Passed, Now What?
After you pass the CIPP/US exam your next step should be to celebrate—Congratulations! After congratulating yourself and adding your shiny new certification to LinkedIn, you should consider what's next.
Continuing Privacy Education
In addition to becoming an IAPP Member or paying your Certification Maintenance Fee, you also must submit Continuing Privacy Education (CPE) credits. To maintain your CIPP/US, you must submit a total of 20 CPEs every 2 years per certification. So what are CPEs?
CPEs are IAPP's policy to ensure certification holders remain up-to-date with the latest in privacy. You can select any resources which apply to the content covered by the CIPP/US. For a complete guide to CPEs refer to IAPP's CPE Policy. Generally, CPEs can be obtained through:
- Books & Whitepapers
- Tools & Resources
- Web Conferences
IAPP provides an invaluable resource for managing CPEs—CPE Central. Please note, you must be signed in to IAPP to see this resource. CPE Central provides access to a curated list of resources guaranteed to satisfy the CPE requirements for the CIPP/US. You can filter based on the categories above, free vs. paid resources, the number of credits, and the given certification type e.g., CIPP/US, CIPM, CIPT. CPEs accessed through CPE Central are automatically applied to your CPE requirements after viewing or purchasing these resources.
It is my sincere hope that this guide was accessible, useful, and practical for you. If you have any feedback or would like to share your successes (or failures) with me, please let me know. Cheers.